iFrame attack injects code via PNGs

[John Connor]

The iFrame injection attack loaded a valid jquery.js file with very little to alert even the researcher that something else was going on. As the company writes in this blog post, the only red flag in the code was a loadFile() function downloading dron.png into the iFrame.

http://www.theregister.co.uk/2014/02/05/iframe_attack_injects_code_via_pngs/

Good thing I use NoScript for Firefox.

 

[jolancer]

[EDIT: after looking at the original link inside the link lol.. correct me if i interpereted this wrong, those types of embeded scripts need you to open the PNG in a webbrowser to have there desired affect?, and it appears this could apply to any image format its just happened to be a PNG the original blogger was refering to in his senario ]


strange, I just received a spam messege in one of my gmail accounts with an attached .png ,of course i did not open the image .. however..

.. stranger still, i almost never receive spam, tho there could be tones of spam In gmails /spam directory, I never know because i never use anything to access it just an email client through pop

.. stranger yet, this account that the spam showed up on, is not old and I had Not emailed anyone with it. my first assumption would be that they got the gmail accn address by seeing which new accn names failed due to it already being taken?

the email name i used was short with just letters. wasn't going to be used for anything important thats why i made it memorable. all my other accn names arn't as short and not as memorable, and did not recieve any such spam in the inbox.

I recieved 2 messages, first one was strange in the fact that the spammer had apparently went to lengths to try and message my account with an email account domain generally used in the country of origin which they thought i was from due to the email name... along with country of origin references due to where they thought i was.. They would of been correct assuming by name only but were Way Off lol. The 2nd message was dated 2days later from a random domain... very spammy looking no message etc just a general title trying to make someone think the attached PNG was a file for a claim.

what about JPG, GIF, etc... does this mean most such image formats will be compromised if not already? or are such exploits limited to PNG at the moment for whatever reasons?

i would of switched from gmail already, just havn't figured out yet if theres an actual practical free alternative.. as in one free provider being just as useless as another free provider, so if using a free provider no point in switching to another free provider?

 

[46andtool]

thanks for mentioning firefox. ive been using chrome up until now and just downloaded firefox along with noscript and adblockplus. how do you normally use noscript? What I mean is do you only whitelist a few websites, temporarily allow scripts on ones you deem trustworthy (and how do you deem a website trustworthy), etc?

I am trying to listen to podcasts on this site:
http://radiomisterioso.com/

and the only way the podcasts load is if i temporarily allow the scripts

Basically, what scripts are safe and required to run to view podcasts and video

 

[lxskllr]

thanks for mentioning firefox. ive been using chrome up until now and just downloaded firefox along with noscript and adblockplus. how do you normally use noscript? What I mean is do you only whitelist a few websites, temporarily allow scripts on ones you deem trustworthy (and how do you deem a website trustworthy), etc?

I am trying to listen to podcasts on this site:
http://radiomisterioso.com/

and the only way the podcasts load is if i temporarily allow the scripts

Basically, what scripts are safe and required to run to view podcasts and video

I have very few sites whitelisted, and have many blacklisted, I do my blacklist slowly as the mood strikes me. That adds more work to the browsing experience, but it's safer, and overall makes the web faster and less irritating.

For your link specifically, I don't have to allow anything aside from clicking on the web player when it launches. I do have Youtube whitelisted which is one of the few sites I have that is.

 

[Red Squirrel]

That's scary. I wonder if Linux is affected by this too. Though I guess the malicious code would probably be more likely to be targeted to Windows. File paths and such would be affecting files in C:\%windows%\ or what not. Perhaps replacing DLLs with malicious ones, or whatever it is these type of things tend to do.

 

[John Connor]

thanks for mentioning firefox. ive been using chrome up until now and just downloaded firefox along with noscript and adblockplus. how do you normally use noscript? What I mean is do you only whitelist a few websites, temporarily allow scripts on ones you deem trustworthy (and how do you deem a website trustworthy), etc?

I am trying to listen to podcasts on this site:
http://radiomisterioso.com/

and the only way the podcasts load is if i temporarily allow the scripts

Basically, what scripts are safe and required to run to view podcasts and video

Go into the options and allow base 2nd level by default to lessen the cumbersomeness. If you run into a heavenly scripted site you can temporally allow the whole page or just scrips that have to do with the video, etc.

 

[46andtool]

Thanks will do it when I get home

 

[razel]

I'm a web developer, it took me awhile to figure out their obfuscation, but good lord, after reading the original blog, it's all about the next to last paragraph which leads you to a service they are selling:

"As is often the case, some creative sleuthing and troubleshooting allowed us to spend the time required to find this lovely little gem. Do we detect it now via our Website Malware Scanner? Absolutely!!!"

The so called iframe exploit is nothing new or dangerous. They are just trying to emphasize that their service is special from others... advertising.

Another reason why journalism these days is become advertising for companies. The person who wrote the article for the register doesn't really know what's going on. Good thing Anandtech is doing a great job of 'walking the line.' If your product does something bad or isn't very good, it may not be stated in the review, but if you read carefully, the data spells it out to you.

 

[John Connor]

URL not found.

 

[veafled]

thanks for mentioning firefox. ive been using chrome up until now and just downloaded firefox along with noscript and adblockplus.

Chrome also has an add-on which can block scripts (and more): HTTP Switchboard.

 

[razel]

URL not found.

You missed the point... I did not want to link to their product, so I just changed it. Did you see what I changed it to?

You can get the link yourself in your original post. You surely can't be that lazy that you don't thoroughly read the article in your own post?

 

[jolancer]

/noscript/option/embeddings/forbid Iframe
if an image after that is iframed you can rightclick the placeholder and copy the image location, past it into a new tab and open it without the IFrame